WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* [Feature Request] Add ability to exclude subnets from AllowedIPs
@ 2019-08-22 19:10 Aryn Starr
  2019-08-25 19:17 ` Derrick Lyndon Pallas
  0 siblings, 1 reply; 4+ messages in thread
From: Aryn Starr @ 2019-08-22 19:10 UTC (permalink / raw)
  To: wireguard

I live in Iran, and here the internet censorship is fierce. I need to route almost all of my traffic through the VPN, but some domestic sites are not accessible from the US. Also, since ISPs apply different censoring rules, sometimes my own servers are not reachable via the VPN (because the server’s ISP blocks the VPN, while my local ISP does not.)
The best current solution I’ve seen is
```
$ python3

>>> import ipaddress
>>> n1 = ipaddress.ip_network('106.203.202.0/23')
>>> n2 = ipaddress.ip_network('106.203.203.13/32')
>>> l = list(n1.address_exclude(n2))
>>> print(l)

```
Which is terrible.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Feature Request] Add ability to exclude subnets from AllowedIPs
  2019-08-22 19:10 [Feature Request] Add ability to exclude subnets from AllowedIPs Aryn Starr
@ 2019-08-25 19:17 ` Derrick Lyndon Pallas
  2019-08-25 20:26   ` Aryn Starr
  0 siblings, 1 reply; 4+ messages in thread
From: Derrick Lyndon Pallas @ 2019-08-25 19:17 UTC (permalink / raw)
  To: Aryn Starr; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1462 bytes --]

Why wouldn't this happen as an iptables rule?

If some AllowedIPs trick is working for you and you're using Python and the kernel version of Wireguard, check out [1], which will allow you to programmatically set up the interface.

FWIW, I'm not sure adding complication to AllowedIPs is the right approach, but adding it to a tool seems reasonable. Maybe it also makes sense to allow an IPset, but I'm haven't thought it through. My gut says routing prior to Wireguard is probably what you're looking for.

[1] https://github.com/ArgosyLabs/wgnlpy

~Derrick • iPhone

> On Aug 22, 2019, at 12:10 PM, Aryn Starr <whereislelouch@icloud.com> wrote:
> 
> I live in Iran, and here the internet censorship is fierce. I need to route almost all of my traffic through the VPN, but some domestic sites are not accessible from the US. Also, since ISPs apply different censoring rules, sometimes my own servers are not reachable via the VPN (because the server’s ISP blocks the VPN, while my local ISP does not.)
> The best current solution I’ve seen is
> ```
> $ python3
> 
>>>> import ipaddress
>>>> n1 = ipaddress.ip_network('106.203.202.0/23')
>>>> n2 = ipaddress.ip_network('106.203.203.13/32')
>>>> l = list(n1.address_exclude(n2))
>>>> print(l)
> 
> ```
> Which is terrible.
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

[-- Attachment #1.2: Type: text/html, Size: 2760 bytes --]

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Why wouldn't this happen as an iptables rule?</div><div><br></div>If some AllowedIPs trick is working for you and you're using Python and the kernel version of Wireguard, check out [1], which will allow you to programmatically set up the interface.<div><br></div><div>FWIW, I'm not sure adding complication to AllowedIPs is the right approach, but adding it to a tool seems reasonable. Maybe it also makes sense to allow an IPset, but I'm haven't thought it through. My gut says routing prior to Wireguard is probably what you're looking for.<div><br></div><div>[1]&nbsp;<a href="https://github.com/ArgosyLabs/wgnlpy">https://github.com/ArgosyLabs/wgnlpy</a><br><br><div id="AppleMailSignature" dir="ltr">~Derrick&nbsp;• iPhone</div><div dir="ltr"><br>On Aug 22, 2019, at 12:10 PM, Aryn Starr &lt;<a href="mailto:whereislelouch@icloud.com">whereislelouch@icloud.com</a>&gt; wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><span>I live in Iran, and here the internet censorship is fierce. I need to route almost all of my traffic through the VPN, but some domestic sites are not accessible from the US. Also, since ISPs apply different censoring rules, sometimes my own servers are not reachable via the VPN (because the server’s ISP blocks the VPN, while my local ISP does not.)</span><br><span>The best current solution I’ve seen is</span><br><span>```</span><br><span>$ python3</span><br><span></span><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>import ipaddress</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>n1 = ipaddress.ip_network('106.203.202.0/23')</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>n2 = ipaddress.ip_network('106.203.203.13/32')</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>l = list(n1.address_exclude(n2))</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>print(l)</span><br></blockquote></blockquote></blockquote><span></span><br><span>```</span><br><span>Which is terrible.</span><br><span>_______________________________________________</span><br><span>WireGuard mailing list</span><br><span><a href="mailto:WireGuard@lists.zx2c4.com">WireGuard@lists.zx2c4.com</a></span><br><span><a href="https://lists.zx2c4.com/mailman/listinfo/wireguard">https://lists.zx2c4.com/mailman/listinfo/wireguard</a></span><br></div></blockquote></div></div></body></html>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Feature Request] Add ability to exclude subnets from AllowedIPs
  2019-08-25 19:17 ` Derrick Lyndon Pallas
@ 2019-08-25 20:26   ` Aryn Starr
  2019-08-26 17:48     ` Ivan Labáth
  0 siblings, 1 reply; 4+ messages in thread
From: Aryn Starr @ 2019-08-25 20:26 UTC (permalink / raw)
  To: Derrick Lyndon Pallas; +Cc: wireguard

[-- Attachment #1.1: Type: text/plain, Size: 1929 bytes --]

I haven’t tested that allowedIPs approach actually. I’ll take a look at that python wrapper, thanks. 
I don’t know much about iptables and routing. I think learning it sufficiently will take quite some time? Or are there some tutorials around?
I also actually use WireGuard with macOS (though I occasionally use it on Linux, too).

> On Aug 25, 2019, at 11:47 PM, Derrick Lyndon Pallas <derrick@pallas.us> wrote:
> 
> Why wouldn't this happen as an iptables rule?
> 
> If some AllowedIPs trick is working for you and you're using Python and the kernel version of Wireguard, check out [1], which will allow you to programmatically set up the interface.
> 
> FWIW, I'm not sure adding complication to AllowedIPs is the right approach, but adding it to a tool seems reasonable. Maybe it also makes sense to allow an IPset, but I'm haven't thought it through. My gut says routing prior to Wireguard is probably what you're looking for.
> 
> [1] https://github.com/ArgosyLabs/wgnlpy
> 
> ~Derrick • iPhone
> 
>> On Aug 22, 2019, at 12:10 PM, Aryn Starr <whereislelouch@icloud.com> wrote:
>> 
>> I live in Iran, and here the internet censorship is fierce. I need to route almost all of my traffic through the VPN, but some domestic sites are not accessible from the US. Also, since ISPs apply different censoring rules, sometimes my own servers are not reachable via the VPN (because the server’s ISP blocks the VPN, while my local ISP does not.)
>> The best current solution I’ve seen is
>> ```
>> $ python3
>> 
>>>>> import ipaddress
>>>>> n1 = ipaddress.ip_network('106.203.202.0/23')
>>>>> n2 = ipaddress.ip_network('106.203.203.13/32')
>>>>> l = list(n1.address_exclude(n2))
>>>>> print(l)
>> 
>> ```
>> Which is terrible.
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard

[-- Attachment #1.2: Type: text/html, Size: 3485 bytes --]

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div style="direction: ltr;">I haven’t tested that allowedIPs approach actually. I’ll take a look at that python wrapper, thanks.&nbsp;</div><div style="direction: ltr;">I don’t know much about iptables and routing. I think learning it sufficiently will take quite some time? Or are there some tutorials around?</div><div style="direction: ltr;">I also actually use WireGuard with macOS (though I occasionally use it on Linux, too).</div><div dir="ltr"><br>On Aug 25, 2019, at 11:47 PM, Derrick Lyndon Pallas &lt;<a href="mailto:derrick@pallas.us">derrick@pallas.us</a>&gt; wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>Why wouldn't this happen as an iptables rule?</div><div><br></div>If some AllowedIPs trick is working for you and you're using Python and the kernel version of Wireguard, check out [1], which will allow you to programmatically set up the interface.<div><br></div><div>FWIW, I'm not sure adding complication to AllowedIPs is the right approach, but adding it to a tool seems reasonable. Maybe it also makes sense to allow an IPset, but I'm haven't thought it through. My gut says routing prior to Wireguard is probably what you're looking for.<div><br></div><div>[1]&nbsp;<a href="https://github.com/ArgosyLabs/wgnlpy">https://github.com/ArgosyLabs/wgnlpy</a><br><br><div id="AppleMailSignature" dir="ltr">~Derrick&nbsp;• iPhone</div><div dir="ltr"><br>On Aug 22, 2019, at 12:10 PM, Aryn Starr &lt;<a href="mailto:whereislelouch@icloud.com">whereislelouch@icloud.com</a>&gt; wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><span>I live in Iran, and here the internet censorship is fierce. I need to route almost all of my traffic through the VPN, but some domestic sites are not accessible from the US. Also, since ISPs apply different censoring rules, sometimes my own servers are not reachable via the VPN (because the server’s ISP blocks the VPN, while my local ISP does not.)</span><br><span>The best current solution I’ve seen is</span><br><span>```</span><br><span>$ python3</span><br><span></span><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>import ipaddress</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>n1 = ipaddress.ip_network('106.203.202.0/23')</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>n2 = ipaddress.ip_network('106.203.203.13/32')</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>l = list(n1.address_exclude(n2))</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>print(l)</span><br></blockquote></blockquote></blockquote><span></span><br><span>```</span><br><span>Which is terrible.</span><br><span>_______________________________________________</span><br><span>WireGuard mailing list</span><br><span><a href="mailto:WireGuard@lists.zx2c4.com">WireGuard@lists.zx2c4.com</a></span><br><span><a href="https://lists.zx2c4.com/mailman/listinfo/wireguard">https://lists.zx2c4.com/mailman/listinfo/wireguard</a></span><br></div></blockquote></div></div></div></blockquote></body></html>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Feature Request] Add ability to exclude subnets from AllowedIPs
  2019-08-25 20:26   ` Aryn Starr
@ 2019-08-26 17:48     ` Ivan Labáth
  0 siblings, 0 replies; 4+ messages in thread
From: Ivan Labáth @ 2019-08-26 17:48 UTC (permalink / raw)
  To: Aryn Starr; +Cc: wireguard

Hello,

please note two separate steps with regards to wireguard routing.

1) kernel routing table (and iptables, policy routing, xfrm etc)
2) wg peer IPs (routing table)

The first step (1) chooses which interface to use for a given packet.
If the chosen interface is a wireguard device, then step (2) is done
to choose the proper peer to send the packet to. The same is done in
reverse when accepting packets to prevent spoofing: in (2) - always,
in (1) - depending on configuration.

If you want to send packets outside the tunnel, you need to properly
setup (1). Setting (2) wg peer ips is mostly irrelevant (aside from
peers being permitted to originate packets from given ips, which, in some
setups would not be automatically dropped).

If you want to send packets to specific ips via a different peer
(e.g. one that can route Iranian ips), then you should assign those
ips to the different peer (2).


Basic routing, both in wireguard and kernel roting tables of most
operating systems, routes according to the most specific matching
route. Meaning, if you add a route to another peer/device, it is
automatically excluded from the less specific default one, and
under normal* circumstances, there is no need to explicitly exclude
them.

* if you are concerned about accidentally sending packets to undesired
peers, you should think about what happens before the device is up or
if it goes down (removing routes) or if the peer is removed (again,
removing routes) or similar circumstances.
For kernel routing, firewall is your friend. For wireguard .. I guess
explicitly excluding ips would be prudent.

Regards,
Ivan


On Mon, Aug 26, 2019 at 12:56:45AM +0430, Aryn Starr wrote:
> I haven’t tested that allowedIPs approach actually. I’ll take a look at that python wrapper, thanks. 
> I don’t know much about iptables and routing. I think learning it sufficiently will take quite some time? Or are there some tutorials around?
> I also actually use WireGuard with macOS (though I occasionally use it on Linux, too).
> 
> > On Aug 25, 2019, at 11:47 PM, Derrick Lyndon Pallas <derrick@pallas.us> wrote:
> > 
> > Why wouldn't this happen as an iptables rule?
> > 
> > If some AllowedIPs trick is working for you and you're using Python and the kernel version of Wireguard, check out [1], which will allow you to programmatically set up the interface.
> > 
> > FWIW, I'm not sure adding complication to AllowedIPs is the right approach, but adding it to a tool seems reasonable. Maybe it also makes sense to allow an IPset, but I'm haven't thought it through. My gut says routing prior to Wireguard is probably what you're looking for.
> > 
> > [1] https://github.com/ArgosyLabs/wgnlpy
> > 
> > ~Derrick • iPhone
> > 
> >> On Aug 22, 2019, at 12:10 PM, Aryn Starr <whereislelouch@icloud.com> wrote:
> >> 
> >> I live in Iran, and here the internet censorship is fierce. I need to route almost all of my traffic through the VPN, but some domestic sites are not accessible from the US. Also, since ISPs apply different censoring rules, sometimes my own servers are not reachable via the VPN (because the server’s ISP blocks the VPN, while my local ISP does not.)
> >> The best current solution I’ve seen is
> >> ```
> >> $ python3
> >> 
> >>>>> import ipaddress
> >>>>> n1 = ipaddress.ip_network('106.203.202.0/23')
> >>>>> n2 = ipaddress.ip_network('106.203.203.13/32')
> >>>>> l = list(n1.address_exclude(n2))
> >>>>> print(l)
> >> 
> >> ```
> >> Which is terrible.
> >> _______________________________________________
> >> WireGuard mailing list
> >> WireGuard@lists.zx2c4.com
> >> https://lists.zx2c4.com/mailman/listinfo/wireguard

> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-22 19:10 [Feature Request] Add ability to exclude subnets from AllowedIPs Aryn Starr
2019-08-25 19:17 ` Derrick Lyndon Pallas
2019-08-25 20:26   ` Aryn Starr
2019-08-26 17:48     ` Ivan Labáth

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git